formbook | 90e7c97ea4917a6efb5c0a69bd6f481b1a5023d6f8ad0f22d123c417edff8a68

General

Target

Documents pdf.exe
Size

533KB
MD5

027d8e07155bc564f7b522183018efe6
SHA1

10348a89cc88e0911f507a2d4aa50071718b096c
SHA256

90e7c97ea4917a6efb5c0a69bd6f481b1a5023d6f8ad0f22d123c417edff8a68
SHA512

5d1c8f6f0121df79767de6de22e7f513972aceeafd7376086511c8575187e224190a408340ec57835e9c0e0a347d47d7e4fd70c8618f91cf638c23b3acc5c3d3

Score

10^/10

formbook rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.valiantfinancial.net/hth0/

Decoy

grahamandjana.com

surfpodcastnetwork.com

valkyrie20.com

hire4looks.com

wewalkfastasone.com

saveourschoolyear.com

5g23e.com

abusinesssystems.com

telefonepantalla.com

tailorscafe.com

schwarzer-markt.net

stopwatch247.com

458grandbetting.com

xpovision.com

kutkingbarbering.life

kppp-guxxz.xyz

chuckwagon-chow.com

la-casa-delle-vita.com

creativesocials.com

negociacoeshojebr.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/968-69-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/968-70-0x000000000041ED60-mapping.dmp	formbook
behavioral1/memory/1900-77-0x00000000000C0000-0x00000000000EE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1184 cmd.exe

pid	process
1184	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Documents pdf.exeDocuments pdf.exechkdsk.exe

description	pid	process	target process
PID 1888 set thread context of 968	1888	Documents pdf.exe	Documents pdf.exe
PID 968 set thread context of 1260	968	Documents pdf.exe	Explorer.EXE
PID 1900 set thread context of 1260	1900	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1076 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

pid	process
1076	schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

Documents pdf.exechkdsk.exe

pid	process
968	Documents pdf.exe
968	Documents pdf.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe
1900	chkdsk.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Documents pdf.exechkdsk.exe

pid process

968 Documents pdf.exe
968 Documents pdf.exe
968 Documents pdf.exe
1900 chkdsk.exe
1900 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Documents pdf.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 968 Documents pdf.exe
Token: SeDebugPrivilege 1900 chkdsk.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
1260 Explorer.EXE
1260 Explorer.EXE
1260 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
1260 Explorer.EXE
1260 Explorer.EXE
1260 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	968	Documents pdf.exe
Token: SeDebugPrivilege	1900	chkdsk.exe

pid	process
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE

pid	process
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Documents pdf.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 1888 wrote to memory of 1076	1888	Documents pdf.exe	schtasks.exe
PID 1888 wrote to memory of 1076	1888	Documents pdf.exe	schtasks.exe
PID 1888 wrote to memory of 1076	1888	Documents pdf.exe	schtasks.exe
PID 1888 wrote to memory of 1076	1888	Documents pdf.exe	schtasks.exe
PID 1888 wrote to memory of 968	1888	Documents pdf.exe	Documents pdf.exe
PID 1888 wrote to memory of 968	1888	Documents pdf.exe	Documents pdf.exe
PID 1888 wrote to memory of 968	1888	Documents pdf.exe	Documents pdf.exe
PID 1888 wrote to memory of 968	1888	Documents pdf.exe	Documents pdf.exe
PID 1888 wrote to memory of 968	1888	Documents pdf.exe	Documents pdf.exe
PID 1888 wrote to memory of 968	1888	Documents pdf.exe	Documents pdf.exe
PID 1888 wrote to memory of 968	1888	Documents pdf.exe	Documents pdf.exe
PID 1260 wrote to memory of 1900	1260	Explorer.EXE	chkdsk.exe
PID 1260 wrote to memory of 1900	1260	Explorer.EXE	chkdsk.exe
PID 1260 wrote to memory of 1900	1260	Explorer.EXE	chkdsk.exe
PID 1260 wrote to memory of 1900	1260	Explorer.EXE	chkdsk.exe
PID 1900 wrote to memory of 1184	1900	chkdsk.exe	cmd.exe
PID 1900 wrote to memory of 1184	1900	chkdsk.exe	cmd.exe
PID 1900 wrote to memory of 1184	1900	chkdsk.exe	cmd.exe
PID 1900 wrote to memory of 1184	1900	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\Documents pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Documents pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PwTRIU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F99.tmp"
3⤵
- Creates scheduled task(s)
PID:1076

C:\Users\Admin\AppData\Local\Temp\Documents pdf.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Documents pdf.exe"
3⤵
- Deletes itself
PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9F99.tmp
MD5
04c5fd336d57e7f20d095aa34d4de682

SHA1
dd7d70a25ed71b55a2a94a6640bd8bbcbb160194

SHA256
19ebde9134944891107f8ea1b188e803d6ecf9a29b1f167ee6bb2ebbec2a2a7c

SHA512
d8c584f5146ca6fc22cead0c107a6430d59757c380bc7c1e223a317aa9970a03df06aa41af4e68f3bfc61b4314de699365bc3f41fae77d40548ffddddc1dc053

Download Submit
memory/968-71-0x0000000000A00000-0x0000000000D03000-memory.dmp

Filesize
3.0MB

Download
memory/968-72-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/968-70-0x000000000041ED60-mapping.dmp

Download
memory/968-69-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1076-67-0x0000000000000000-mapping.dmp

Download
memory/1184-75-0x0000000000000000-mapping.dmp

Download
memory/1260-73-0x0000000004DF0000-0x0000000004EC7000-memory.dmp

Filesize
860KB

Download
memory/1260-80-0x0000000004F70000-0x00000000050D9000-memory.dmp

Filesize
1.4MB

Download
memory/1888-63-0x0000000004A85000-0x0000000004A96000-memory.dmp

Filesize
68KB

Download
memory/1888-66-0x0000000000B50000-0x0000000000B8A000-memory.dmp

Filesize
232KB

Download
memory/1888-62-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/1888-61-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/1888-64-0x00000000002F0000-0x00000000002F2000-memory.dmp

Filesize
8KB

Download
memory/1888-59-0x0000000010710000-0x0000000010711000-memory.dmp

Filesize
4KB

Download
memory/1888-65-0x0000000004C70000-0x0000000004CFA000-memory.dmp

Filesize
552KB

Download
memory/1900-74-0x0000000000000000-mapping.dmp

Download
memory/1900-76-0x0000000000640000-0x0000000000647000-memory.dmp

Filesize
28KB

Download
memory/1900-77-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/1900-78-0x0000000002180000-0x0000000002483000-memory.dmp

Filesize
3.0MB

Download
memory/1900-79-0x0000000001EB0000-0x0000000001F43000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads